Diamond
Virus.DOS.Diamond or Diamond is a somewhat dangerous memory resident DOS virus. The virus was written by Dark Avenger. Diamond has 27 variants in 4 versions, represented by the following: * Virus.DOS.Diamond.444 * Virus.DOS.Diamond.594 * Virus.DOS.Diamond.607 * Virus.DOS.Diamond.1013 Behavior When the virus is loaded into memory, it hooks INT 8 and 21h and infects executables that are run by writing itself to the end of the files. The virus would be executed before the host program. For any executables having the string "ZM" instead of "MZ" at the beginning in their code, the virus marks them as EXE files and changes their strings to "MZ" during infection. The virus might corrupt some of the files during execution, causing a system hang when these programs are run. Diamond.444 and 465 These variants set a multiplier starting at 1 after being loaded into memory, which adds up the upcoming infection size. The infection behaviors on these two types of executable are different. The virus may infect the file more than once using a loop, before an infection it first calculates the file size after infection, by adding the current file size with its infection size. If it will be larger than or equal to 65,024 bytes (FE00h), it breaks the loop. For any DOS executable matches this condition, the virus will forgive it and return to the host program (if uninfected). For any EXE file in the same case, a system hang may occur after infecting a file larger than this size. The infection size increments by 1 every time after infecting a DOS executable, so that the sequence of the multiplier of the infection size will be "1, 2, 3, 4, 5, 6, ...". The largest infection multiplier is 145 for Diamond.444, 138 for Diamond.465 and 133 for Diamond.485, given that the host file is not smaller than the virus themselves. For the case a EXE file is infected, the virus adds the summation of all counts of previous infections to itself, so that the EXE files that are infected after a few counts of infections will become very large. The sequence of the multiplier of the infection size is "1, 2, 5, 13, 34, 89", and the largest infection multiplier is 89 because the infection size of upcoming multipliers are much larger than 64KB. If the user resets the system, the count of the multiplier will lost and restore to 1 when the virus is loaded into memory after reset. On running an infected DOS executable would run the virus only without running the host program, while some infected EXE files can run both. Diamond.485 After this variant has been loaded into memory, it infects any executables that are run. After infecting a file, the virus does not return to DOS and results a system hang. It does not check whether a file has been infected and would reinfect it. Diamond.594, 602, 606, 608, 609 and 620 These variants do not infect a file more than once. After infecting a file, the virus does not return to DOS that would make the system to hang (except Diamond.602). Diamond.606 does not infect files smaller than itself. Diamond.607, 621, 624, 626, 666.b, 891, 1013, 1014, 1024, 1050, 1063, 1096, 1110, Greemlin.1146 and RockSteady.666 These variants behave stealthy so that there is no file size change can be observed for infected files, and they do not infect files smaller than themselves, but any larger files that link to them. For an overlay file EDIT.COM (413 bytes), linked with QBASIC.EXE (189.8KB), the virus does not infect EDIT.COM because it is smaller than the virus, but QBASIC.EXE will be infected during execution. Diamond.Lucifer.1086 If the timestamp of a file to be infected by this variant is 12:00 AM, it removes the timestamp so that the infected file will have no last modified time. Payload Not every variant contains the payload. Diamond.594, 602, 606, 608 and 620 When they are in the memory and the user types DIR command, the system hangs and the keyboard input is also disabled, a hard reset must be taken in order to reboot the computer. Diamond.666.b and RockSteady.666 When an infected program is run on 13th of any month, the virus formats the first 10 cylinders in head 0, and overwrites first 32 logical sectors in C: with garbage, and reset the system with INT 19h. Diamond.1013, 1014, 1024, 1050, 1063, 1096, 1110 and Lucifer.1086 On Tuesdays, the virus would attempt to format the hard drive, but fails due to a programming error, and it formats the third floppy drive instead. When the minute is 0 and the second is between 0 to 13, the virus prints a big diamond with diamond characters (ASCII 04h) in different color, and then it would break up and start bouncing on the screen. For Diamond.1013, it prints the big diamond but the diamond characters would not move so that it can be cleared by typing CLS or some other commands. When infections occurs during the payload, the virus also saves the current position of the diamond characters into the host file. Diamond.Greemlin.1146 This variant also prints a big diamond with diamond characters, and would break up and start bouncing on the screen. Additionally, it slows down the system speed by 10%. When an infected program is run on July 14th, it overwrites some sectors on floppy disks and the hard drive. Variants The complete list of variants of the Diamond family: * Virus.DOS.Diamond.444 * Virus.DOS.Diamond.465 * Virus.DOS.Diamond.485 * Virus.DOS.Diamond.568 * Virus.DOS.Diamond.584 * Virus.DOS.Diamond.594 * Virus.DOS.Diamond.602 * Virus.DOS.Diamond.606 * Virus.DOS.Diamond.607 * Virus.DOS.Diamond.608 * Virus.DOS.Diamond.609 * Virus.DOS.Diamond.614 * Virus.DOS.Diamond.620 * Virus.DOS.Diamond.621 * Virus.DOS.Diamond.624 * Virus.DOS.Diamond.626 * Virus.DOS.Diamond.666.b * Virus.DOS.Diamond.891 * Virus.DOS.Diamond.978 * Virus.DOS.Diamond.994 * Virus.DOS.Diamond.1013 * Virus.DOS.Diamond.1014 * Virus.DOS.Diamond.1024 (A and B) * Virus.DOS.Diamond.1050 * Virus.DOS.Diamond.1063 * VIrus.DOS.Diamond.1096 * Virus.DOS.Diamond.1110 * Virus.DOS.Diamond.Greemlin.1146 * Virus.DOS.Diamond.Lucifer.1086 * Virus.DOS.Diamond.RockSteady.666 Other details Ah (David) and Rocko are variants of Diamond. Diamond.666.b and RockSteady.666 are later versions of Rocko. Some stealthy variants may detect other variants using the same technique. Assume file A contains the 624-variant and 626-variant in file B, saying A''+624 bytes and ''B+626 bytes respectively. If file B is executed, the 626-variant becomes resident in memory. Under the DIR command, B would show the original file size (i.e. B'' bytes), but the size of A will become ''A-2 bytes. Files infected by the Diamond virus may contain the internal text string: eGost 2. Compared with the original sample, this piece of text replaces 8 bytes of NOPs in same position. Diamond.444, 465 contain the internal text string: 9090909090 Diamond.485, 568, 584, 594, 602, 606, 607, 608, 609, 614, 620, 621, 624, 626, 891, 978, 994, 1013, 1024 and 1096 contain the internal text string: 7106286813 Diamond.666.b and RockSteady.666 contain the internal text string: RocK STeaDY (modified) Diamond.1050 contains the internal text string: NEW DIAMOND Diamond.1063 contains the internal text string: DAMAGE!!!! Diamond.1110 contains the internal text string: DAMAGE-B!! Diamond.Greemlin.1146 contains the internal text string: greemlin Diamond.Lucifer.1086 contains the internal text strings: Lucifer © by C.J. C.J. References Source code of Diamond, The Diamond Virus 2.1 - Virus for MS-DOS written by Damage, Inc Collection of Diamond, Virus collection (VX heaven) Description of some of the variants of Diamond, Online VSUM - Diamond Virus F-Secure Labs, Diamond Description Videos Category:DOS virus Category:DOS Category:Virus